Pop quiz: you’re a security researcher picking apart someone else’s smartphone application. You discover a massive security hole that puts users at risk. What do you do?
Ideally, you’d report it, but the problem is many companies don’t provide a clear way to do that. Even finding the right person to email is difficult. It can create real problems, as Google Project Zero researcher Natalie Silvanovich found in August 2018 after spotting a bug in Samsung’s 7 Edge. Reporting the vulnerability was a nightmare for her.
Mobile security engineer Ivan Rodriguez experienced the same problem. He explained: “More often than not, I have to write an email to a generic info@company.com or fill out a form on the company.com/contact website. Most of these channels are handled by people in marketing or sales, who might have no idea how to respond, what to do or even to identify if it’s a real problem.”
Now, he thinks he’s found the answer. He wants to produce a standard format for holding the necessary vulnerability reporting policy and contact information in a single, easy to view file called a property list (plist).
These files are a little like a ‘readme’ file for Apple applications, and the company’s XCode development environment creates general info.plist property files by default.
Rodriguez has proposed putting an organization’s bug reporting details in a property list called security.plist. As developers can easily look inside a plist file using Xcode, they can easily find the person that they need to report a bug to, he says.
Rodriguez’s proposed format draws on an existing idea called security.txt which is currently making its way through the Internet Engineering Task Force (IETF) standardization process. Security.txt houses the same kind of policy and contact information but for websites.
His proposed file format, which you can see in his blog post, includes not just contact information but a public PGP key that bug hunters can use to encrypt their reports (stopping sensitive bug information from falling into the wrong hands). It includes a page where the company publishes acknowledgements to researchers reporting bugs, and a link to find the organization’s vulnerability reporting policy.
Plists are an Apple-specific file, so it’s unclear what alternative might exist for Android applications. Ideally, we’d want a format that could support a variety of mobile ecosystems, but the mobile world is a lot more balkanized than the web. Still, it’s a beginning.
